> What I do is when a new user is created for the app I create a user
> in ElevateDB as well - same ID, the password is stored in ElevateDB
> not in my users table.

I understood you from the first time. IMO your approach is not secure:

Your way you're giving access to the EDBServer to the users of a
specific application (so some "smart" guy could get EDB Manager from
some sites and screw up the database, using the name/password he knows
from using the application)

My way is users have no idea how to login to the server. They know how
to login only in their specific application. They can get EDB Manager
but have no idea how to login to the server.

Probably you only deploy *one* application and you don't care about
this issue ... but that doesn't make it safe.


regards,
Lucian

Lucian,

<< If I have a SQL this in an application and among other things

CREATE TABLE "mytemptable" AS SELECT * FROM somequeryetc

than mytemptable is used to populate some other SELECT ... which than gets
displayed in some grid AND, the application is run by many people at the
same time, how does that work? >>

Just to clarify, you would use:

CREATE TEMPORARY TABLE

not the normal

CREATE TABLE

As for other users - each temporary table is session-specific.

--
Tim Young
Elevate Software
www.elevatesoft.com

Lucian

>> What I do is when a new user is created for the app I create a user
>> in ElevateDB as well - same ID, the password is stored in ElevateDB
>> not in my users table.
>
>I understood you from the first time. IMO your approach is not secure:
>
>Your way you're giving access to the EDBServer to the users of a
>specific application (so some "smart" guy could get EDB Manager from
>some sites and screw up the database, using the name/password he knows
>from using the application)

Only if they manage to pick up a copy of EDBManager with a session set up that has the specific encryption password built in

>My way is users have no idea how to login to the server. They know how
>to login only in their specific application. They can get EDB Manager
>but have no idea how to login to the server.

Neither do mine.

>Probably you only deploy *one* application and you don't care about
>this issue ... but that doesn't make it safe.

I do care about it, but I have used ElevateDB's encryption feature so not only is the encryption password needed to access the tables those tables that are sensitive are encrypted as well.

Roy Lambert

> Only if they manage ....

> > Manager but have no idea how to login to the server.
>
> Neither do mine.

Well, they do, "if they manage...."

regards,
Lucian